CVE description "A race condition in Linux kernel 2.6.17.4 and earlier allows
local users to gain root privileges by using prctl with PR_SET_DUMPABLE in a way
that causes /proc/self/environ to become setuid root."
An exploit was posted to full-disclosure and other lists that can gain root
privileges on some 2.6 kernels. Whilst the exploit as published will not work
on RHEL4 systems, it may well be exploitable in different ways.

Q: Is Red Hat Enterprise Linux vulnerable to the /proc privilege
escalation (CVE-2006-3626) exploit?
The CVE-2006-3626 describes a race condition in Linux kernel 2.6.18-rc1
(including 2.6.17.4 and 2.6.16.24) and earlier that allows a local
user to gain root privileges. It is possible to change the mode of
/proc/self/environ to 4755 (suid) and including a small a.out binary
into it. After that it is possible through prctl() with PR_SET_DUMPABLE
to flip the owner and group to root:root. This allows the user get a
root shell. A working exploit has been posted to Full Disclosure on
14th of July, 2006 [1].
To make this exploit work it is important that the running Linux
kernel supports the a.out (Assembler.OUTput) binary format. The a.out
binary format got replaced by ELF (Executable and Linkable Format)
starting back in 1995 and every modern Linux distribution uses ELF
only binaries.
This issue does not affect Red Hat Enterprise Linux 2.1 or 3 as they
are based on 2.4 kernels which are not vulnerable to this issue.
The Red Hat Enterprise Linux 4 is based on the Linux kernel 2.6.9
and the race condition also exists, but the a.out format is not
enabled. The kernel option CONFIG_BINFMT_AOUT is set to "n". Since the
a.out format is not available, the available exploit won't succeed. The
exploit will fail with the message "failed: Exec format error" which
indicates the missing a.out support of the RHEL4 kernel. We are not
currently aware of any way to exploit this vulnerability if a.out
format is not enabled.
One key attack vector of this exploit is, that it is possible to
change the mode of the /proc file to any possible mode (including
suid). The change to suid shouldn't be allowed and a RHEL4 installation
with activated SELinux in enforcing mode with targeted policy will
prevent it. This is the mode SELinux will be in for a default
installation. In this case the exploit will never succeed and fail
with a "failed: Permission denied" error.
We recommend that SELinux should be activated. It effectively
protect systems against this exploit. The current SELinux status
can be checked with "getenforce" and changed through
"system-config-securitylevel" [2].
Attempts to run this exploit on RHEL4 with SELinux in enforcing mode
will fail and they will be logged through the audit subsystem. The
system log files will show messages like this:
audit(1152957171.464:5): avc: denied { setattr } for pid=6291
comm="h00lyshit" name="environ" dev=proc ino=412286986
scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t
tclass=file
The "setattr" is used to change the mode of a file or directory
and this messages shows the attempt of the exploit to change
/proc/self/environ to suid which is not allowed by the targeted
SELinux policy.
In addition, another workaround for this problem is to mount the /proc
filesystem with the the nosuid option. On a running system this can
be done with the command "mount -o remount,nosuid /proc". To make
this permanent the mount options in /etc/fstab should be changed.
[1] http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047907.html
[2] http://kbase.redhat.com/faq/FAQ_93_4844.shtm

The Red Hat Security response team have therefore rated this as having moderate
security severity for Enterprise Linux 4. No kernel update is currently
planned, the fix for the flaw will be included in a later scheduled update.

Created attachment 132603[details]
Proposed patch for 2.6.17-stable inclusion
This patch is a backport of the upstream patch for 2.6.17. The backport was
needed, because fs/proc/base.c changed a lot between 2.6.17 and 2.6.18-rc2.
This patch doesn't obsoletes the quick fix. Both should be applied to increase
the security.

After further investigation, Red Hat discovered an alternative method of
exploiting this vulnerability that does not rely on either ELF or a.out embedded
code. On some systems (depending on other functionality installed) it is
possible to use this race condition to gain root privileges on Red Hat
Enterprise Linux 4 systems. The RHSA-2006:0617 errata fixes the behavioral flaw
of the /proc filesystem.
On systems with enabled SELinux in enforcing mode this alternative method will
fail and all attemtps will be logged through the audit subsystem.
The systems running Red Hat Enterprise Linux 2.1 and 3 are not vulnerable to any
of these attack methods. The 2.4 Linux kernel doesn't allow to change the mode
of /proc/<pid>/ files.

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2006-0617.html